The King County Library System asked me to present on cyber safety topics in a very neat program they have (“When everyone’s talking about it..”).  I have been giving two separate, but related presentations and both have been well-received by those who have attended.  Mine is but a small part of the KCLS program.  I have even attended presentations that I had interest  (like the presentation on drones!).  

For the most part, I have skipped over the basics in my presentations. There really isn’t much need to talk about “what is email” or “the Internet is a bunch of computers connected together”.  We all know that kind of information.  Rather, I have been giving practical advice on what to do right now to reduce the risk of having your devices compromised by hackers and reducing the risk of predators accessing your children online.  Every bit of information I talk about is real time applicable, from reducing your digital footprint to surfing the Internet while maintaining your privacy.  I even show how to use the Tor Browser and encrypted email!

In every presentation, I am seeing parents take notes furiously, ask serious questions, and show a genuine interest in online safety for their families and themselves.  For me, this is easy stuff.  I have already raised two kids in the digital age of Facebook and cell phones (hint: they survived, but still not easy).  And I have investigated cybercriminals (hackers, child pornographers, and others who have used technology to commit crimes).  That is the biggest benefit to attendees I try to give.  Cram as much pertinent information from what I know into an afternoon or evening presentation that can be put to use right away.  Free to anyone.

This is one of the few presentations you can step out the door and put the information to use before you get home.

But if you think this is just another Internet safety program, you are mistaken.  I go through how to use social media to help get (or keep) a job, get into (or prevent getting kicked out) of school for families and individuals, and reduce the risk of cyberbullying.  I show how easy it is for anyone to be a victim by clicking the wrong link or opening the wrong email along with ways to identify the dangerous links and emails. The term "Third party provider" takes on a whole new meaning to attendees when they are shown the ways their personally identifiable information (PII) can be stolen when stored on third party service providers such as their health insurance company or a toy company.

Most importantly, I answer tough questions. Although I give some guidance on creating family rules and personal use of technology, I leave it up to the invididual and family to decide what is appropriate. My guidance is to show how to create rules on the foundation of safety. Everything else is up to personal morals and values.

I’d like to credit the King County Library System for adding these presentations to their program this year because cyber safety is probably one of the most important topics today.   Everything comes down to cyber.  Whether it is personal information being leaked or hacked online or a child being lured from home, cyber is serious.  You can use technology safely and still enjoy the benefits but to ignore safety is like betting the farm on the Roulette wheel.  You never know when your number will come up, but when it does, it will hurt and hurt for a long time.

As far as this program (When everyone's talking about it) goes, KCLS nailed it.  I have organized more than a dozen training events and several conferences over the past decade.  I know exactly the effort needed to put something like this together and KCLS did it right.  If you are in King County, Washington, you really should check out the programs.  They do a fantastic job at a price you can't beat anywhere.  

As for me, I only have two more talks left.  All you need to do is show up.  No RSVP.  No charge.  Free parking.

Again, kudos to KCLS for putting this great program together.  Let's do it again next year.

----------------------------------My next talks----------------------------------

Cell Phones in the Family

Woodmont Library

26809 Pacific Hwy S, Des Moines, WA 98198

April 30, 2016      2PM – 3:30PM

Cell Phones in the Family

Newport Way Library

14250 SE Newport Way, Bellevue, WA 98006

June 23, 2016       7PM – 8:30PM

Never thought I would still see this happening…

http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-who-maintain-tor-anonymity-network-node-1552524

I have personally seen warrants served on the wrong address on two occasions.  The first was a drug investigation where the lead detective went to the wrong door to an apartment.   The warrant was correct in having the correct address, but the detective didn’t take the time to check the numbers on the door…

The second time I witnessed a wrong door entry was when the lead detective had the wrong address on both the search warrant and affidavit.  The detective never even corroborated the information to find the right address.  Basically, the detective looked down the street and picked the house she thought was the drug dealer’s house.  After SWAT kicked in the door and broke a few things in the process, it took all of 5 minutes to realize that it was the wrong house.  The drug dealer was on the next street over…the victim house got a new door from Home Depot and carpet cleaning paid for by the task force.  

Both of these warrants taught me something that I will never forget.  Before you kick in the door, make sure you got the right door.  After you make sure you got the right door, make sure again.  Then ask your partner to double-check that you got the right door. Then get a warrant and kick it in if the suspect doesn’t open it for you.

After investigating drug crimes, I went into cyber cases.  The same fear of entering the wrong house became even more worrisome since relying on IP addresses is not the same as relying on your eyes. You have to rely upon a fax from an Internet service provider for the address.  In an investigation case of following a suspect to his home, it is easy to physically see the house for which you plan to swear to in an affidavit.  But with an IP address, you have to rely on some third party service provider to give you the subscriber at the physical address where the IP address exists and trust that the information is accurate. That is at least one step before swearing to an affidavit to ask for authority to force your way into someone's home.  Investigators must still confirm that their suspect and/or evidence is at that particular and specific address, which requires at least some legwork to confirm the physical address.

When Tor is used by a criminal, relying on the IP address is worse than a bad idea, especially since it is so common knowledge that an exit node on the Tor network has nothing to do with the origin of any data that flows through it, other than the data flows through it.  I have taught and wrote about Tor as it relates to criminal/civil investigations for several years now, each time repeating:

IP address ≠ a person

MAC address ≠ a person

Email address ≠ a person

Tor IP address ≠ the address you want

CSI Cyber regularly does one thing right…whenever the cybercriminal uses Tor (proxies) on the show, the Hollywood FBI hackers don’t even try to trace it because they know that a proxy is not going to lead back to the cybercriminal.   They then resort to other means to find the cybercriminal before the hour ends.  Not that any of their other methods are realistic, but at least they got Tor right.  Anyone watching CSI Cyber even one time is exposed to explanations that tracing cybercriminals using Tor is virtually impossible.  This is the “CSI effect” in reverse.

Since TV show viewers can figure it out, you can imagine my surprise seeing this tweet today:

Rousted 6 am naked out of bed by @SeattlePD. Warrant to search for child porn. They knew the IP address was a #Tor exit, came in anyway.

— David W. Robinson (@jdormansteele) March 30, 2016

I don’t have access to the case reports, nor know anyone involved, but the one thing I can tell is that if this case was based on an IP address alone, I cannot fathom why no one checked to see if the IP address was a Tor exit node.  Checking a Tor exit node takes about 10 seconds.  The Tor Project even helps and provides everything you need.

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Certainly, there are probably other details that could have led to going to the ‘wrong’ house, but running a Tor relay should not be one of those details.  At least currently, it is not illegal to run a Tor exit node.

The best analogy I can give to how relying on a Tor exit node to accurately reflect the physical address is that using an envelope.  Consider a criminal committing a crime through the mail (mailing drugs or something like that).  Instead of putting his address as a return address, he puts your address as the return address, drives to another city, and drops the package in a mail box on the side of the street.  Let’s say the police seize the package of drugs at its destination and then kick down your door because your return address was on the package.  Any investigator charged with tracking criminals online must (not should) be aware of how Tor works.  Even in the private sector investigating employee misconduct, or IP theft, knowing how Tor works is mandatory when IP addresses are involved.  You just can't get around knowing it unless you don't mind kicking down the wrong door one day..

https://www.torproject.org/about/overview.html.en

On side note, I am one of the biggest advocates of those who have the job of tracking, investigating, arresting, charging, prosecuting, convicting, and incarcerating predators of children.  I have not a bit of compassion for these criminals and I cannot imagine anyone feeling any different.

Coincidently, I gave a presentation on this very topic at an ICAC conference in the Seattle area last year…oh well.

UPDATE: APRIL 8, 2016

Link to the search warrant affidavit:  AFFIDAVIT

There always comes a time when an obscure, yet important concept, leaves the technical world and enters the main stream.  Recovering deleted files was one of those where we pretty much knew all along not only that it can be done, but that we have been doing it all along. The Snowden releases were another aspect of ‘yeah, we knew this all along, but the GFP (general f’ing public) was oblivious.

Encryption is just the most current ‘old’ thing to make the limelight.  Whenever something like this happens, there are ton of people ringing the end-of-the-world bells, clamoring that national security will be lost, and personal freedoms take a back seat to everything.  It happens all the time and when it happens, there is a fire to make new laws on top of thousands of other laws, in which the promise of better safety and security is as strong as a wet paper bag holding your groceries on a windy and rainy day.

Legally, it is super easy to ban, control, and/or regulate encryption. A stroke of the pen with or without citizen oversight can make it happen quickly and painlessly.  One signature on the last page of a law that is a ream in size is all it takes.

Practically, it is impossible to completely eliminate or control or regulate encryption.  The only thing laws will do is restrict the sale of encryption products by corporations.  Encryption exists in the minds of mathematical practitioners and can be recreated over and over again. You can't blank out someone’s brain (I hope not…).  Encryption is available everywhere on the Internet, from software programs that are FREE and OPEN SOURCE to download and even in TOYS that can be bought off Amazon.com.  These 'toys' work by the way.

Go ahead and ban encryption and people will just buy a $10 toy to create cipher text for emails.  Tor use will skyrocket as will third party online privacy providers operating in safe harbors overseas.  Banning encryption or breaking the trust of companies like Apple will only result in loss of business for corporations and (more) loss of trust by consumers of both corporations and government.  Even if encryption is not banned, but under the complete control of any government, that particular piece of technology won’t be used for anything other than entertainment. No business is going to transmit sensitive intellectual property data through an insecure system.  No government is going to use a system that can be more easily compromised by enemies or hackers.

The end result of banning encryption is creating a whole new class of “criminals” who just want to protect their private communications.  “Private” does not mean “illegal”.  Controlling the source code of Apple is only going to cause Apple to end up with 3 employees who will their only customers.  Not even the government will use Apple if they know the source code has been compromised...especially if compromised by the government itself.

Not long ago, I gave a presentation on Internet investigations to a group of law enforcement investigators.  One of the first questions I asked was 'Given authority and ability, what would like to see done in regards to the Internet?".  Most answers were to 'lock it down', 'watch everything', 'control it all', and "give government complete control".  At the end of the presentation, no one felt that way after I explained how that will negatively affect everyone down to the individual person business, including the government.  Ignorance may be bliss, but that doesn't make ignorance a good idea.

If this 'ban encryption bandwagon' keeps going, the next thing we will see is envelope regulations requiring the paper to be transparent, just in case the government needs to read your mail without opening it.